Having an Open DNS resolver (that’s recursive) out there on the internet is a bad thing. Many of you are using DNSMasq as a client-side cache, but the recursion issue effectively turns your machine into a security threat. (Like having an open mail-relay). So here’s how to fix it quickly for your openvpn servers.

All we’re going to do is bind the DNSMasq process to only listen for connections on the tun0 interface. In other words, if you’re not on the VPN, you don’t get to use DNSMasq.